powerpoint presentationtemplate management. standards and controls. credential mgmt. y. credential...
TRANSCRIPT
May 14, 2008 Slide 4
PIV Business and
Technical Architecture
Tim Baldridge
May 14, 2008 Slide 5
May 14, 2008 Slide 6
PIV System Notional Model
May 14, 2008 Slide 7
Business Architecture Components
Identity Management
Credential Management
Access Management
Security Clearance
Security Clearance Mgmt
Facility Management
Facility Inventory Mgmt
IT Management
IT System Inventory Mgmt
E-QIP System
Investigation Management
Procurement
Contract/Agreement Mgmt
Credential Inventory
Component Supply Mgmt
Identity Management
Position AssessmentIdentity Lifecycle MgmtIdentity MaintenanceBiometrics Management
Investigation Tracking
Investigation Management PKI Management
Certificate Management
Credential Planning
Production PlanningTemplate ManagementStandards and Controls
Credential Mgmt
Credential ProductionCredential Lifecycle MgmtCredential Condition Mgmt
Human Capital Mgmt
Position ManagementOrganization/ProgramStructure Management
Asset Management
Asset Inventory MgmtAsset Group MgmtAccess Rule Management
Authorization
Community ManagementPermission Management
Authentication
Access Control MgmtAccess Authentication
Foreign National
Foreign Nationals Mgmt
May 14, 2008 Slide 8
Shared Component Architecture Concept Diagram
May 14, 2008 Slide 9
PIV Data Flow
PACS
Certificate Authority
May 14, 2008 Slide 10
FIPS 201-1 Logical Credential Model
• Manditory PIV Data Elements– A PIN – A CHUID – PIV authentication data (one asymmetric key pair and
corresponding certificate) – Two biometric fingerprints.
• Optional PIV Data Elements – An asymmetric key pair and corresponding certificate for digital
signatures – An asymmetric key pair and corresponding certificate for key
management – Asymmetric or symmetric card authentication keys for supporting
additional physical access applications – Symmetric key(s) associated with the card management system.
May 14, 2008 Slide 11
PKI – Is Key!• Compliant PIV Card Certificates:
– Issued only from a CA in the Federal PKI under FPKIPA Common Policy
– Contain Application Object Identifiers (OIDs) Specific to each Data Model Element Certificate Type
• PCI PIV Digital Signatory – Issued only from a CA in the Federal PKI under
FPKIPA Common Policy– Signed PIV Data Model Elements
• CHUID• Fingerprints• Security Object• Photo
May 14, 2008 Slide 12
Identity Assurance Authentication Levels
• SOME Confidence — A basic degree of assurance in the identity of the cardholder
• HIGH Confidence — A strong degree of assurance in the identity of the cardholder
• VERY HIGH Confidence — A very strong degree of assurance in the identity of the cardholder
May 14, 2008 Slide 13
Identity Assurance Authentication Levels (cont.)
, PKI
, PKI
May 14, 2008 Slide 14
Card Authentication Certificate Enabled PACS Readers
• Challenge Is To PKI Enable Legacy PACS Door Readers
• Legacy - Two Step Mechanism– Enroll PIV Card With Full PKI To Head-end.– Hash Of Cert Or Public Key With FASC-N To Panel
• Next Generation - Full PKI Revocation Check At Each Access Point.
May 14, 2008 Slide 15
Take-Home…
• For More Than Some Confidence…– Validate Digitally Signed Objects– Validate Signer Certs To FPKIPA Root– Validate All Certs In Path Are Not Revoked
• Including both Logical and Physical Use Cases